2 minute read
How We Were Hacked
by Boylen
OVER THE COMING ISSUES, HOTEL SA WILL SHARE STORIES ABOUT HOW INDIVIDUALS AND BUSINESSES HAVE BEEN HACKED.
In this story, imagine that this person is one of your finance staff, working in your company bank accounts.
Note: Mary is not the person’s real name.
Mary opened her online bank account as she normally did, using her user name and strong password.
After she had accessed her personal banking page, a pop-up screen appeared. It ghosted out the web page she was on and contained a message panel.
The message appeared to come from the bank. It asked her to make a $2 transaction as a security checking procedure. She was assured that the funds would not come out of her account.
Mary tried to click away from the message but she was unable to do so, without acting on the message.
Frustrated by the experience but reassured that the pop up was occurring within the bank’s website, she entered the details for a $2 transaction. The shaded overlay screen promptly disappeared and she could access her bank accounts as normal.
Mary was slightly suspicious. She checked the account over the next few days and noted that the transaction had not occurred.
Two weeks later, she went to an account that she rarely used and found that the balance was $0.
Alarmed, she checked another sub-account and found that it had also been stripped of funds. The hackers had left her main account until last and drained most of her funds – but left a small balance (perhaps to avoid raising a red flag at the bank).
Four weeks after the theft, Mary was still working with the bank to recover the funds.
WHAT HAPPENED?
Somehow, Mary’s computer had been infected by a virus.
She is a smart person who does not click on unknown links, open spammy emails or visit “dodgy” websites. Yet somehow, it appears that the hackers had managed to insert a virus onto her laptop.
It recognised when the bank account was opened and was able to overlay a ghosted web page over the official bank web page. It was well designed and conformed with the design and wording normally used by her bank.
WHAT SHOULD YOU DO?
All security experts and government agencies say the same thing: your staff are the weak link in your defences.
Make sure you regularly communicate the need for them to be wary about opening emails and attachments from unknown sources. Attachments that seem unusual but come from a trusted source should always be verified – by phone!
For larger organisations, organise training and also consider whether staff should be tested to assess their level of knowledge and to identify any gaps.
